Menu Close

13.2.3.2. Enabling Tang disk encryption

Use this procedure to enable Tang mode disk encryption during OpenShift Container Platform deployment.

Procedure

  1. Access a Red Hat Enterprise Linux server from which you can configure the encryption settings and run openshift-install to install a cluster and oc to work with it.
  2. Set up or access an existing Tang server. See Network-bound disk encryption for instructions. See Securing Automated Decryption New Cryptography and Techniques for a presentation on Tang.
  3. Add kernel arguments to configure networking when you do the Red Hat Enterprise Linux CoreOS (RHCOS) installations for your cluster. For example, to configure DHCP networking, identify ip=dhcp, or set static networking when you add parameters to the kernel command line. For both DHCP and static networking, you also must provide the rd.neednet=1 kernel argument.
重要

Skipping this step causes the second boot to fail.

  1. Install the clevis package, if it is not already installed:
$ sudo yum install clevis -y
  1. Generate a thumbprint from the Tang server.

    1. In the following command, replace the value of url with the Tang server URL:

      $ echo nifty random wordwords \
           | clevis-encrypt-tang \
             '{"url":"https://tang.example.org"}'

      Example output

      The advertisement contains the following signing keys:
      
      PLjNyRdGw03zlRoGjQYMahSZGu9

    2. When the Do you wish to trust these keys? [ynYN] prompt displays, type Y, and the thumbprint is displayed:

      Example output

      eyJhbmc3SlRyMXpPenc3ajhEQ01tZVJiTi1oM...

  2. Create a Base64 encoded file, replacing the URL of the Tang server (url) and thumbprint (thp) you just generated:

    $ (cat <<EOM
    {
     "url": "https://tang.example.com",
     "thp": "PLjNyRdGw03zlRoGjQYMahSZGu9"
    }
    EOM
    ) | base64 -w0

    Example output

    ewogInVybCI6ICJodHRwczovL3RhbmcuZXhhbXBsZS5jb20iLAogInRocCI6ICJaUk1leTFjR3cwN3psVExHYlhuUWFoUzBHdTAiCn0K

  3. In the openshift directory, create master or worker files to encrypt disks for those nodes.

    • For worker nodes, use the following command:

      $ cat << EOF > ./99-openshift-worker-tang-encryption.yaml
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        name: worker-tang
        labels:
          machineconfiguration.openshift.io/role: worker
      spec:
        config:
          ignition:
            version: 2.2.0
          storage:
            files:
            - contents:
                source: data:text/plain;base64,e30K
                source: data:text/plain;base64,ewogInVybCI6ICJodHRwczovL3RhbmcuZXhhbXBsZS5jb20iLAogInRocCI6ICJaUk1leTFjR3cwN3psVExHYlhuUWFoUzBHdTAiCn0K
              filesystem: root
              mode: 420
              path: /etc/clevis.json
      EOF
    • For master nodes, use the following command:

      $ cat << EOF > ./99-openshift-master-tang-encryption.yaml
      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        name: master-tang
        labels:
          machineconfiguration.openshift.io/role: master
      spec:
        config:
          ignition:
            version: 2.2.0
          storage:
            files:
            - contents:
                source: data:text/plain;base64,e30K
                source: data:text/plain;base64,ewogInVybCI6ICJodHRwczovL3RhbmcuZXhhbXBsZS5jb20iLAogInRocCI6ICJaUk1leTFjR3cwN3psVExHYlhuUWFoUzBHdTAiCn0K
              filesystem: root
              mode: 420
              path: /etc/clevis.json
      EOF
  4. Add the rd.neednet=1 kernel argument, as shown in the following example:

      apiVersion: machineconfiguration.openshift.io/v1
      kind: MachineConfig
      metadata:
        name: <node_type>-tang 1
      spec:
        config:
          ignition:
            version: 3.1.0
        kernelArguments:
          - rd.neednet=1 2
    1
    Use the name you defined in the previous examples based on the type of node you are configuring, for example: name: worker-tang.
    2
    Required.
  5. Continue with the remainder of the OpenShift Container Platform deployment.